AWS Certified Developer – Associate — Question 293

A company is using Amazon Cognito user pools for sign-up and login functionality for a web application. The company is using Amazon RDS for the application’s data persistence and is using Amazon API Gateway and AWS Lambda for the application’s API functionality. Users must provide their first name, last name, email address, and phone number to sign up. All API endpoints have a Cognito user pool authorizer to guard against unauthenticated requests.

A developer wants to show a personalized welcome screen to users after they log in. The welcome screen needs to show the user’s first name and the user’s previous login date. According to company policy, developers who work on the web application cannot store any personally identifiable information in RDS instances.

Which solution should the developer implement to meet these requirements?

Answer options

• A. After successful login, submit a Cognito request for user tokens. When redirecting to the welcome screen, provide the identity token in the Authorization header of the request. Extract the user name from the given_name claim and the user’s universally unique identifier (UUID) from the sub claim inside the identity token. Use the UUID as the key to store and retrieve the previous login information from the database.
• B. After successful login, submit a Cognito request for user tokens. When redirecting to the welcome screen, provide the access token in the Authorization header of the request. Extract the user name from the given_name claim and the user’s universally unique identifier (UUID) from the sub claim inside the access token. Use the UUID as the key to store and retrieve the previous login information from the database.
• C. After successful login, submit a Cognito request for user tokens. When redirecting to the welcome screen, provide the identity token in the Authorization header of the request. Extract the user name from the given_name claim and the user’s universally unique identifier (UUID) from the iss claim inside the identity token. Use the UUID as the key to store and retrieve the previous login information from the database.
• D. After successful login, submit a Cognito request for user tokens. When redirecting to the welcome screen, provide the access token in the Authorization header of the request. Extract the user name from the given_name claim and the user’s universally unique identifier (UUID) from the iss claim inside the access token. Use the UUID as the key to store and retrieve the previous login information from the database.

Correct answer: A

Explanation

The identity token (ID token) contains user profile claims such as 'given_name' and 'sub' (the user's unique ID), whereas the access token is used for authorization and does not contain user profile attributes. The 'sub' claim represents the user's UUID, which does not constitute PII and is safe to store in Amazon RDS as a key to track previous logins. The 'iss' claim represents the token issuer (the Cognito user pool endpoint), not the user's unique identifier, which makes options C and D incorrect.